What do you look at if you are trying to better understand what is transpiring on your network?
PCAPs, raw captured network packets, provide network truth but can be cryptic to decipher and are really meant for machines. Rich network metadata, Zeek logs (formerly known as Bro) and IPFIX, provide insight into everything the network traffic can reveal and is human-oriented. The combination of PCAPs and rich network metadata represent the gold standard in the industry for visibility.
What do you look at when you are investigating a threat alert from your intrusion detection system (IDS) to validate it, follow its promulgation through your network, and assess its impact on your mission? PCAPs and rich metadata get the job done.
Finally, some threats are so new that no IDS knows what to look for, and as a result, some (known as zero-day threats) get onto networks before signatures are created to prevent them. These threats often reveal themselves through unexpected behavior on the network and require a manual threat hunt to detect. What data is used for threat hunting? It turns out that, again, PCAPs and rich metadata are used.
So, what changes so that PCAPs and rich network metadata can support network visibility, threat investigation, and threat hunting? What changes is merely the intent of the SOC analyst. Same environment – data and tools – with different intents results in the satisfaction of many different objectives.
What’s an environment that can morph on-demand with a mere change of intent look like?
It starts with data, network packets and rich metadata. This data needs to be stored and indexed. Tools for query, inspection, visualization, analysis, and reporting need to be identified and integrated to provide a workbench that allows analysts to manipulate and understand the data any way they desire. A single interface makes it easy-to-learn. And don’t forget the ongoing operational maintenance of continuous data feeds and daily signature updates. Pieces exist in the market, but Bricata has already brought all of this together in an out-of-the-box capability.
Security analyst intent 1: network visibility.
Curiosity drives the first intent to gain network visibility. Getting visibility means helping the analyst understand what’s happening on the network. Understanding what’s happening on the network is harder for a number of reasons including encryption, cloud, network sprawl, mergers and acquisitions (M&A), and supply chain risks, among many others.
Getting visibility doesn’t necessarily mean anything is wrong, it’s just a mechanism for sensing what normal network behavior looks like or explaining something that is puzzling.
Security analyst intent 2: threat alert investigation.
Threat alerts drive the second intent for threat investigation.
When a threat trips an alert in one or more of these detection methods, what does the analyst do? They start investigating and triaging the alert. First, they need to assess whether the alert found a real threat or is just a false alarm. If real, following the threat’s promulgation through the network and assessing its effects are paramount to contain its spread, stop its damage, eradicate it from endpoints, and remediate its damage.
Security analyst intent 3: hunting a threat that didn’t trigger an alert.
The trigger for threat hunting is the security analyst has a hunch that something undesirable is happening on the network. Threat actors study the protections enterprises put in place and strive to find ways to evade detection; the analyst has to go find them manually.
Threat hunting presupposes that a security analyst has a good sense of the baseline behavior of the network. Normal activities, even if seemingly strange, are known to be normal to the analyst. When abnormalities are identified, leads followed, and dots connected, the threat hunter can uncover threats that automated threat detection wasn’t able to find. And it starts with puzzling behavior or a hunch or even just by throwing out a motivating statement that “I’m owned, now let me find out how.”
Threat Hunting, Threat Investigation, Network Visibility is the Same Data Viewed and Analyzed with Different Intents
So, whether you are curious, responding to an alert, or just sure that something got by your automated defenses, Bricata gives you a self-inflating environment to understand, respond, and hunt to keep your network protected.
* * *
Does this sound hard? Bricata has made it really easy. See this product review by CSO Online – Bricata adds threat hunting to traditional IPS/IDS – or schedule a live demonstration to see how easy it is for yourself.
If you enjoyed this post, you might also like:
6 Ways Modern Threat Detection Keeps the Enterprise Ahead of Cybersecurity Trends
*** This is a Security Bloggers Network syndicated blog from Bricata authored by Bricata. Read the original post at: https://bricata.com/blog/threat-hunting-threat-investigation/